urelas | 58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96

General

Target

58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
Size

335KB
MD5

f52d3281e69ae3ddbebd9a491f2e4510
SHA1

0cef681704c8587ef790d9912b2ee5050af93ca4
SHA256

58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96
SHA512

110deb3bbd9419f80df41a351a51072c7db02060c6ff9be197291a5494c50fa20b97fbe0ac4c7884f6aa9f9865bb2481d99a03bc80e4c5182fbfe9361453423d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIc8:vHW138/iXWlK885rKlGSekcj66ci/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	puivg.exe
332	keasl.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
2520	puivg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puivg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keasl.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe
332	keasl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2520	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	30
PID 2004 wrote to memory of 2520	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	30
PID 2004 wrote to memory of 2520	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	30
PID 2004 wrote to memory of 2520	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	30
PID 2004 wrote to memory of 2772	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	31
PID 2004 wrote to memory of 2772	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	31
PID 2004 wrote to memory of 2772	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	31
PID 2004 wrote to memory of 2772	2004	58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe	31
PID 2520 wrote to memory of 332	2520	puivg.exe	34
PID 2520 wrote to memory of 332	2520	puivg.exe	34
PID 2520 wrote to memory of 332	2520	puivg.exe	34
PID 2520 wrote to memory of 332	2520	puivg.exe	34

C:\Users\Admin\AppData\Local\Temp\58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe
"C:\Users\Admin\AppData\Local\Temp\58947f946837913bea9024f5104557ae5ee5119f52a277bb4756260906b8ef96N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\puivg.exe
  "C:\Users\Admin\AppData\Local\Temp\puivg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\keasl.exe
    "C:\Users\Admin\AppData\Local\Temp\keasl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bda9cc642d0f59b1fd4e0b61100d9fb0

SHA1
d7a795db88d5fe019a5420e8e4284443b5d6835a

SHA256
cee677f974869a541e96fb39b5174cdbdd4e09d8bc162c77347852da38767f1a

SHA512
6581143053bca038c2095e95522a10719e392fdd5320a4eeca0e996ca604b10f89b0be8f2fbd5607981e3e5d821cdc778b5fd3550a8145928092e72aa09272e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
900ab709070c4f303f36b68ff9da0eab

SHA1
fb215cf1271c2e5d3c7b10fe01c71f910345a42b

SHA256
fecf442fb70641034c1154ba2bed39e495ee82eee08833affe4a2f7990de25fa

SHA512
51640a7e928368d256d78f3db56163dbfa06c59522ed48d49a58f449fef3e97e2d1a21b3fae0f523aca73c21f0a791e7cb5305c7bd9c96969098de20feb7791e

Download Submit
C:\Users\Admin\AppData\Local\Temp\puivg.exe

Filesize
335KB

MD5
125c55e6a4e0d7b213c603bc0996cfbc

SHA1
6364d3410e0fbdb30690a076e3af9ef7d0dd7b7c

SHA256
748051d2fc3e7fe433309bc74bc6bb8ab756603a93d6e4d9e5790dd2acdf16d1

SHA512
b183443f146328023a09839d4d1ea2c7866b76d94acb504fa14ed1380a7d5440909c5eeff6843c018b003d425ca349fe970811548efb0fb4426a54bb852d823d

Download Submit
\Users\Admin\AppData\Local\Temp\keasl.exe

Filesize
172KB

MD5
00331da258f8460432f30c6b0a046d82

SHA1
16e07857fb97b874d1955bcbb471433a1d12b0a4

SHA256
fb793b0beef2fae252919beb5334bf8df56cbef9e4e2a3208fe76825498945c1

SHA512
19cfd3787c297fde1eeebafe958d9173689134a8ab5a6cebd740a42ec87c613f5e4f73b0547e39b18f13c3c24f1e04ce683836013810b1702a649015454f01e6

Download Submit
memory/332-43-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/332-49-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/332-48-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/332-44-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Filesize
612KB

Download
memory/2004-0-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/2004-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2004-10-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2004-21-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/2520-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2520-42-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2520-40-0x00000000032A0000-0x0000000003339000-memory.dmp

Filesize
612KB

Download
memory/2520-24-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2520-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2520-11-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing